Well, There are ways that another well known CA can sign a cert that you can then use as a CA for signing / issuing certs... which may be helpful for business to business transactions / connections.
And Verisign has a mountain bunker and dedicated staff to keeping their roots safe. And it helps some that they have active CRLs and OCSP responders. The trust issue is just a trust issue. No more no less. Really no different than trusting a local pharmacy. There is blockchain PKI. I just started investigating various blockchain related technology. But it may be a way to be less dependent on centralized authorities. Rob Schramm On Wed, Jun 22, 2016, 11:18 AM Charles Mills <[email protected]> wrote: > Right. > > This is the confusion on what self-signed means. "Properly" (to be a > pedant) > self-signed means the certificate is at the head (or bottom, if you will) > of > the chain. It attests to its own validity; it signs itself; it is not > signed > by some other certificate -- self-signed does NOT mean that it is signed by > you yourselves as opposed to some "known and trusted" authority. > > There is no way you can become a "known and trusted authority" unless you > want to go to the trouble of competing with Verisign and GoDaddy and become > a known and trusted authority. > > OpenSSL (and other tools presumably) can create a self-signed certificate. > They can create a chain of certificates signed by your in-house authority. > But no tool can make you into Verisign or GoDaddy. No tool can make you > known and trusted. > > Verisign and GoDaddy are known and trusted simply because they are known > and > trusted. There is nothing in the TLS protocol that makes them any different > from your in-house authority, or for that matter, a private little root > certificate that you create on your desktop. > > Charles > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Gord Tomlin > Sent: Wednesday, June 22, 2016 7:17 AM > To: [email protected] > Subject: Re: z/OS OpenSSL, SelfSigned Certs, etc > > On 2016-06-22 10:01, Donald J. wrote (snipped): > > With the recent > > talk about negative aspects of using self signed certs, I attempted to > > see if that OpenSSL could be used to generate a root certificate and a > > user cert chained to that root cert. > > This appears to me to just build a "son of a self-signed certificate", > since > your root certificate will not be a known and trusted certificate. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Rob Schramm The Art of Mainframe, Inc ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
